In November, we updated you on the FCA's decision to fine Liberty Mutual Insurance Europe SE £5.28 million for failing to properly oversee the insurance claims and complaints handling process administered through an outsourcing agreement with a third party. In that update, we highlighted previous failings of R. Raphael & Sons plc ("Raphaels") which resulted in a fine of £1.2m due to inadequate intra-group outsourcing arrangements.
We examine the facts and issues in this case, and offers a number of points to note which regulated entities are well-advised to consider in an area which has recently proved to be fertile ground for the regulators. We also look at what lies ahead in this area.
Raphaels is a retail bank providing banking and related financial services. Its Payment Services Division relies on outsourced service providers to perform certain functions that are critical to the operation of its card programmes.
On Christmas Eve 2015, one of Raphaels' service providers suffered an IT incident which led to the failure of the authorisation and processing services it provided to Raphaels for over eight hours. During this period, customers attempted transactions with an aggregate value of £558,400; these transactions were declined as a result of the IT incident.
The investigation by the FCA and PRA found that, much like with the Liberty case, there were weaknesses throughout Raphaels' outsourcing systems and controls which they ought to have been aware of since April 2014. Specific criticism focussed on Raphaels' understanding (or lack thereof) of the business continuity and disaster recovery arrangements of the service provider, which was brought into sharp focus during the events of Christmas Eve 2015. The agreements which directed the relationship failed to include appropriate service level agreements, and there was no process in place to identify how much outsourcing risk Raphaels was exposed to.
The FCA and PRA imposed a combined fine of £1.89 million on Raphaels, having qualified for the 30% discount for early settlement.
Points to Note
- The constant regulatory enforcement in this area underlines the fact that regulators have little sympathy where there is an outsourcing failure and an incident which highlights such failure will inevitably draw their attention. Firms must be proactive and ensure there are appropriate arrangements in place which will prevent such incidents taking place, limit any damage caused by an incident, and withstand regulatory scrutiny in the event of a supervisory visit or an investigation.
- Regulated entities are advised to approach outsourcing in much the same way they are required to approach the KYC element of its anti-money laundering procedures under the Money Laundering Regulations 2017. It is imperative that a full due diligence is conducted on a potential service provider, and any risks – and how those risks are to be mitigated – must be fully documented and assessed on an ongoing basis.
- In this case, particular criticism was reserved for the board of Raphaels in the FCA Final Notice by highlighting that the incident resulted from "deeper flaws in its governance of critical outsourced services and outsource service providers". Outsourcing critical activities is not an activity which should only be managed at the operational level of the business; senior management must be actively involved and have clear oversight of the way in which the organisation outsources its activities.
- One action taken by Raphaels in response to the incident and subsequent regulatory enforcement was to allocate first-line responsibility for outsourcing to a Senior Management Function holder. The allocation of managing outsourcing activities to a SMF holder can be seen as appropriate and sensible in the circumstances, and one which other entities may wish to consider.
It is clear that enforcement in this area will continue. It is a topic that was given specific reference by the Chairman in the FCA's Business Plan 2019/20 and formed part of the FCA's cross-sector priority on operational resilience. Further, international regulators are taking action in this area, most recently by The Central Bank of Ireland ("CBI"). On 24 June, the CBI announced a fine of €1,600,000 on an Irish subsidiary of JPMorgan Chase & Co for "serious failings" in its outsourcing framework. Much like in the case of Raphaels, the CBI flagged particular shortcomings in the subsidiary's governance and oversight controls in relation to outsourcing.
Looking ahead, the FCA and PRA have already published a Discussion Paper on this topic in July 2018 entitled Building the UK Financial Sector's Operational Resilience. Responses have been analysed, and we can expect a further consultation towards the end of the year/early 2020 to discuss policy proposals emanating from that process.